[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SCM] Debian package checker branch, master, updated. 2.3.1-26-g7928943



The following commit has been merged in the master branch:
commit cb8dbe5f5dfbd3650aae9e598f45f38a08fa2f51
Author: Raphael Geissert <atomo64@gmail.com>
Date:   Wed Jan 20 14:14:01 2010 -0600

    Fix CVE-2009-4015, arbitrary command execution
    
    File names were not properly escaped when passing them as arguments to
    certain commands, allowing the execution of other commands as pipes or
    as a set of shell commands.

diff --git a/checks/files b/checks/files
index 70b2cb8..9e2a0aa 100644
--- a/checks/files
+++ b/checks/files
@@ -753,7 +753,7 @@ foreach my $file (sort keys %{$info->index}) {
 
 	# ---------------- embedded Feedparser library
 	if ($file =~ m,/feedparser\.py$, and $pkg ne "python-feedparser") {
-	    open(FEEDPARSER, "unpacked/$file") or fail("cannot open feedparser.py file: $!");
+	    open(FEEDPARSER, '<', "unpacked/$file") or fail("cannot open feedparser.py file: $!");
 	    while (<FEEDPARSER>) {
 		if (m,Universal feed parser,) {
 		    tag "embedded-feedparser-library", "$file";
@@ -766,7 +766,7 @@ foreach my $file (sort keys %{$info->index}) {
 	# ---------------- embedded PEAR modules
 	foreach my $pearmodule (@pearmodules) {
 	    if ($file =~ m,/$pearmodule->[0], and $pkg ne $pearmodule->[1]) {
-		open (PEAR, "unpacked/$file") or fail("cannot open PHP file: $!");
+		open (PEAR, '<', "unpacked/$file") or fail("cannot open PHP file: $!");
 		while (<PEAR>) {
 		    if (m,/pear[/.],i) {
 			tag "embedded-pear-module", "$file";
diff --git a/checks/patch-systems b/checks/patch-systems
index da7a7f5..9934d46 100644
--- a/checks/patch-systems
+++ b/checks/patch-systems
@@ -215,7 +215,7 @@ sub check_patch($) {
 	# in the debian/* directory, but as of 2010-01-01, all cases where the
 	# first level of the patch path is "debian/" in the archive are false
 	# positives.
-	open(DIFFSTAT, "-|", "diffstat -p1 -l debfiles/patches/$patch_file")
+	open(DIFFSTAT, "-|", 'diffstat', '-p1', '-l', "debfiles/patches/$patch_file")
 	  or fail("can't fork diffstat");
 	while (<DIFFSTAT>) {
 		chomp;
diff --git a/checks/po-debconf b/checks/po-debconf
index 63fa55e..dbe0469 100644
--- a/checks/po-debconf
+++ b/checks/po-debconf
@@ -162,10 +162,10 @@ while (defined(my $file=readdir(DEBIAN))) {
         }
         tag "unknown-encoding-in-po-file", "debian/po/$file"
                 unless length($charset);
-	system_env("msgfmt -o /dev/null debfiles/po/$file 2>/dev/null") == 0
+	system_env("msgfmt -o /dev/null \Qdebfiles/po/$file\E 2>/dev/null") == 0
 		or tag "invalid-po-file", "debian/po/$file";
 
-	my $stats = `LANG=C msgfmt -o /dev/null --statistics debfiles/po/$file 2>&1`;
+	my $stats = `LANG=C msgfmt -o /dev/null --statistics \Qdebfiles/po/$file\E 2>&1`;
 	if (!$full_translation && $stats =~ m/^\w+ \w+ \w+\.$/) {
 		$full_translation = 1;
 	}
diff --git a/collection/objdump-info b/collection/objdump-info
index 803ca6f..2ad5feb 100755
--- a/collection/objdump-info
+++ b/collection/objdump-info
@@ -54,20 +54,20 @@ while (<FILES>) {
 
 	print OUT "-- $bin\n";
 
-	system("head $bin | grep -q 'packed.*with.*UPX'");
+	system("head \Q$bin\E | grep -q 'packed.*with.*UPX'");
 	print OUT "objdump: $bin: Packed with UPX" if $? == 0;
 
-	if (open(PIPE, '-|', "readelf -l $bin 2>&1")) {
+	if (open(PIPE, '-|', "readelf -l \Q$bin\E 2>&1")) {
 	    local $/;
 	    local $_ = <PIPE>;
 	    print OUT $_;
 	    close PIPE;
 	}
 
-	system("objdump -T $bin >/dev/null 2>&1");
+	system("objdump -T \Q$bin\E >/dev/null 2>&1");
 	if ($? == 0) {
 	    # Seems happy so slurp the full output
-	    if (open(PIPE, '-|', "objdump --headers --private-headers -T $bin 2>&1")) {
+	    if (open(PIPE, '-|', "objdump --headers --private-headers -T \Q$bin\E 2>&1")) {
 		local $/;
 		local $_ = <PIPE>;
 		print OUT $_;
@@ -77,7 +77,7 @@ while (<FILES>) {
 	    $failed = 1;
 	    my $invalidop = 0;
 	    my $objdumpout = '';
-	    if (open(PIPE, '-|', "objdump --headers --private-headers -T $bin 2>&1")) {
+	    if (open(PIPE, '-|', "objdump --headers --private-headers -T \Q$bin\E 2>&1")) {
 		while(<PIPE>) {
 		    $objdumpout .= $_;
 		    if (m/Invalid operation$/) {
@@ -106,7 +106,7 @@ while (<FILES>) {
 		# objdump output and let the scripts handle it
 
 		print OUT $objdumpout;
-	    } elsif (system("readelf -l $bin 2>&1 | grep -q 'Error: Not an ELF file'") == 0) {
+	    } elsif (system("readelf -l \Q$bin\E 2>&1 | grep -q 'Error: Not an ELF file'") == 0) {
 		print OUT "objdump: $bin: File format not recognized\n";
 	    } else {
 		# We're using etch's binutils so attempt to build an output
@@ -116,7 +116,7 @@ while (<FILES>) {
 		my @sections;
 		my @symbol_versions;
 
-		if (open(PIPE, '-|', "readelf -W -l -t -d -V $bin")) {
+		if (open(PIPE, '-|', 'readelf', '-W', '-l', '-t', '-d', '-V', $bin)) {
 		    my $section = '';
 		    my %program_headers;
 
@@ -179,7 +179,7 @@ while (<FILES>) {
 		    close PIPE;
 		}
 
-		if (open(PIPE, '-|', "readelf -W -s -D $bin")) {
+		if (open(PIPE, '-|', 'readelf', '-W', '-s', '-D', $bin)) {
 		    print OUT "DYNAMIC SYMBOL TABLE:\n";
 
 		    while(<PIPE>) {
diff --git a/lib/Util.pm b/lib/Util.pm
index 7a82d64..136a04d 100644
--- a/lib/Util.pm
+++ b/lib/Util.pm
@@ -217,7 +217,7 @@ sub file_is_encoded_in_non_utf8 {
 	my ($file, $type, $pkg) = @_;
 	my $non_utf8 = 0;
 
-	open (ICONV, '-|', "env LANG=C iconv -f utf8 -t utf8 $file 2>&1")
+	open (ICONV, '-|', "env LANG=C iconv -f utf8 -t utf8 \Q$file\E 2>&1")
 	    or fail("failure while checking encoding of $file for $type package $pkg");
 	my $line = 1;
 	while (<ICONV>) {
diff --git a/private/refresh-manual-refs b/private/refresh-manual-refs
index 47eb132..e61f455 100755
--- a/private/refresh-manual-refs
+++ b/private/refresh-manual-refs
@@ -134,7 +134,7 @@ sub extract_refs {
     my ($fh, $manual, $title, $page, $url, $ref_re, $fields) = @_;
     my @linked_pages = ();
 
-    open(PAGE, "$page") or die "Couldn't open $page: $!";
+    open(PAGE, '<', $page) or die "Couldn't open $page: $!";
 
     # Read until there are 2 newlines. This hack is needed since some lines in
     # the Developer's Reference are cut in the middle of <a>...</a>.
diff --git a/t/tests/binaries-embedded-zlib/debian/Makefile b/t/tests/binaries-unsafe-open/debian/Makefile
similarity index 65%
copy from t/tests/binaries-embedded-zlib/debian/Makefile
copy to t/tests/binaries-unsafe-open/debian/Makefile
index 8fb317e..f06dce3 100644
--- a/t/tests/binaries-embedded-zlib/debian/Makefile
+++ b/t/tests/binaries-unsafe-open/debian/Makefile
@@ -3,7 +3,7 @@ all:
 
 install:
 	install -d $(DESTDIR)/usr/bin
-	install -m 755 -c dummy $(DESTDIR)/usr/bin/dummy
+	install -m 755 -c dummy $(DESTDIR)/usr/bin/'dummy||uname'
 
 clean distclean:
 	rm -f dummy
diff --git a/t/tests/binaries-general/debian/basic.c b/t/tests/binaries-unsafe-open/debian/dummy.c
similarity index 56%
copy from t/tests/binaries-general/debian/basic.c
copy to t/tests/binaries-unsafe-open/debian/dummy.c
index 00f3787..54dcf61 100644
--- a/t/tests/binaries-general/debian/basic.c
+++ b/t/tests/binaries-unsafe-open/debian/dummy.c
@@ -3,5 +3,5 @@
 int
 main(void)
 {
-    printf("Hello world!\n");
+    printf("hello world\n");
 }
diff --git a/t/tests/binaries-unsafe-open/desc b/t/tests/binaries-unsafe-open/desc
new file mode 100644
index 0000000..c0a1831
--- /dev/null
+++ b/t/tests/binaries-unsafe-open/desc
@@ -0,0 +1,5 @@
+Testname: binaries-unsafe-open
+Sequence: 6000
+Architecture: any
+Version: 1.0
+Description: Test for possible command execution when processing filenames
diff --git a/t/tests/binaries-unsafe-open/tags b/t/tests/binaries-unsafe-open/tags
new file mode 100644
index 0000000..55be33c
--- /dev/null
+++ b/t/tests/binaries-unsafe-open/tags
@@ -0,0 +1 @@
+W: binaries-unsafe-open: binary-without-manpage usr/bin/dummy||uname

-- 
Debian package checker


Reply to: